Cybersecurity Compliance in 2025: What You Need to Know About the NIS2 Regulation?

Hungary’s new cybersecurity law introduces significant changes for businesses. This new legislation, which transposes the European Union’s NIS2 Directive into Hungarian law in greater detail than the previous—still relatively recent—Hungarian regulations, will come into effect on January 1, 2025. It imposes several new obligations on affected organizations. The law aims to strengthen national cybersecurity systems, enhance information security levels, and facilitate effective handling of cyber threats.

Under the previous regulation, thousands of Hungarian businesses were required to begin preparing for compliance with the new rules in 2024. Companies were supposed to sign contracts for their first audit by December 31, 2024. However, due to the absence of an official regulatory decree, this was not possible. The decree was finally published in the Hungarian Gazette on January 31, 2025, clearing the way for businesses to proceed with the next steps.

What is the NIS2 Directive and Why is it Important?

The NIS2 (Network and Information Systems Directive 2) aims to strengthen the cybersecurity preparedness of EU member states and affected organizations within a unified European regulatory framework. The regulation imposes stricter requirements for risk management measures, reporting obligations, and increased regulatory oversight.

One of the most significant elements of NIS2 is the mandatory cybersecurity audit, which affected organizations must undergo every two years. This ensures that IT systems operate securely and provide adequate protection against cyber threats.

Who is Affected by the NIS2 Directive?

The scope of organizations subject to NIS2 is determined based on a complex set of criteria. The new regulation applies to:

• State and municipal bodies,
• Companies operating critical state infrastructure,
• Majority state-owned enterprises,
• Companies related to national defense interests.

Additionally, private enterprises providing essential and critical digital services are also covered by the law. These companies are categorized as follows:

• High-risk sectors: Energy, transportation, healthcare, drinking water and wastewater management, telecommunications, digital infrastructure, outsourced IT services, and the space industry.
• Risk sectors: Postal and courier services, food industry, waste management, chemical industry, manufacturing, digital services, and research.

If a company falls into one of the above categories, its size and revenue are also assessed. Organizations with at least 50 employees or an annual turnover exceeding €10 million are subject to the regulation. Notably, certain organizations—such as electronic communications service providers, trust service providers, DNS service providers, top-level domain registries, and domain registration services—must comply regardless of their size.

It is important to note that the Supervisory Authority for Regulated Activities (SZTFH) determines which organizations fall under the regulation based on its own legal interpretation. In some cases, the authority has rejected company registrations, arguing that the provided data did not classify them as affected organizations.

Deadlines and Required Actions

Hungarian businesses were required to assess in 2024 whether the new cybersecurity regulations applied to them. The SZTFH began registering affected organizations in January, with a registration deadline of June 30, 2024.

The next critical deadline is October 18, 2024, by which affected companies must classify their electronic information systems and implement the security measures mandated by NIS2. The original deadline for signing a contract for the first mandatory cybersecurity audit was December 31, 2024. However, due to the absence of a necessary regulatory decree, this was delayed. The SZTFH decree was finally published on January 31, 2025, allowing businesses to begin contracting auditors. The first audit must be completed by December 31, 2025. Additionally, affected organizations must pay an annual cybersecurity supervisory fee to the authority.

Cost of the Audit

The audit cost depends on the organization’s revenue, the number of electronic information systems it operates, and its security classification. The base fee is net HUF 1,750,000, which can be adjusted based on various multipliers. As a result, the final audit cost can range from HUF 1.5 million to HUF 140 million (plus VAT).

A vivid example of fee calculation: A medium-sized manufacturing company with an annual revenue of HUF 15 billion and a basic security-classified IT system can expect audit costs between HUF 4-6 million + VAT. A large financial institution with a complex IT infrastructure may face audit costs of up to HUF 100 million + VAT.

No More Regulatory Barriers to Auditor Selection

Estimates suggest that 3,000-4,000 companies and organizations in Hungary may be affected by the NIS2 regulations. According to the SZTFH, over 3,800 registrations have been submitted, though some are expected to be rejected.

Currently, there are ten authorized auditors listed by the SZTFH (view the list here). https://sztfh.hu/nyilvantartasok/auditorok/

Seven of these auditors can only assess organizations in the basic security classification, while only one is authorized to audit high-security classification organizations. This means that while regulatory barriers have been removed, limited service provider capacity may still present challenges in signing audit contracts.

Mandatory Reporting and Sanctions

• Companies operating in other EU member states must report by February 15, 2025, which countries they provide services in.
• Foreign companies affected by Hungarian regulations must also appoint and register an authorized representative.
• The SZTFH can impose fines based on compliance inspections, which can amount to a percentage of the company’s global revenue.

How can we assist?

Our law firm’s team of experts can help you navigate the requirements of the NIS2 Directive and provide support with mandatory audits and legal compliance. If you are unsure whether your company is affected by the regulation or need advice on the next steps, feel free to contact us!